I have a PHP script running on the remote server inside private network. And I need to give only access to it via ssh port forwarding (ssh -L ….) remote port 80 to local 8080. The script sets cookies for auth purposes. And if I’m trying to log in browser discard cookies with error “set-cookie domain attribute was invalid with regards to the current host url”. But this works ok if I log in inside the private network.
The scripts set cookies using “HTTP_HOST”
setcookie('auth',$hash,time()+$sesstime,"/",$_SERVER['HTTP_HOST'],false,false);
So I see cookies comes with correct address when connect via port forwarding as via internal network access. Next log for port forwarding access (my address is 192.168.32.2)
Set-Cookie: auth=431d622765774d602236744a6472324c417c712b194e377130771f64783b7b1a3379306656033a2473; expires=Thu, 01-Apr-2021 19:06:04 GMT; Max-Age=18000000; path=/; domain=192.168.32.2:8080
And next for internal network access:
Set-Cookie: auth=001228333034422a366337452e6667435573656816157d673430427f636763447e6d632c1c566f6e64; expires=Thu, 01-Apr-2021 19:04:51 GMT; Max-Age=18000000; path=/; domain=10.10.1.2
More variables:
["REMOTE_ADDR"]=> string(11) "10.10.1.2" ["HTTP_HOST"]=> string(14) "192.168.32.2:8080" ["SERVER_NAME"]=> string(11) "10.10.1.2"
Is there any solution? I need to setup correct port forwarding access.
Advertisement
Answer
Cookies are not port specific, so removing port from the cookie domain will solve this issue.
8.5. Weak Confidentiality
Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is
writable by a service on one port, the cookie is also writable by a
service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on
different ports of the same host and use cookies to store security-
sensitive information.
from RFC 6265. And the domain does not contain port number. (RFC 1034)